The campaign was first spotted by experts at Cisco Talos, attackers used to spread a new version of the Zeus Panda banking Trojan that can steal user’s financial credentials and other sensitive data.

“The initial vector used to initiate this infection process does not appear to be email based. In this particular campaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets using search engines such as Google.” reads the analysis published by Cisco. “By leveraging compromised web servers, the attacker was able to ensure that their malicious results would be ranked highly within search engines, thus increasing the likelihood that they would be clicked on by potential victims.”

The researchers reported a specific case in which the crooks’ poisoned results were displayed several times on Page 1 of the Search Engine Results Page (SERP) for the set of keyword targeted by hackers. The attackers used keyword groups specific to financial institutions in India and the Middle East.

Experts from Cisco discovered hundreds of malicious pages specifically designed to redirect victims to the malicious payload, in order to improve the infection process the hackers implemented a multiple stage attack.

Cisco Talos reported that the same redirection system and associated infrastructure has been used in tech support and fake AV scams aimed at the distribution of Zeus Trojan.

The query results point malicious webpages including JavaScript used by crooks to redirect users to an intermediary site where more JavaScript is executed, which results in an HTTP GET request to another page. Following server’s response, the victim is redirected to another compromised site hosting a malicious Word document.

The Word document includes malicious macros that once enabled download and execute a PE32 executable that infects the victim’s machine with the Zeus Panda banking Trojan.

“The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes.” continues Cisco Talos.

The malware checks the system language and halts if it detects Russian, Belarusian, Kazak, or Ukrainian keyboard layouts. It also checks if its code is executed in sandbox environments.

The experts observed that the malware makes a large number of exception calls to cause sandboxes to crash preventing automated analysis.

“Attackers are constantly trying to find new ways to entice users to run malware that can be used to infect the victim’s computer with various payloads. Talos uncovered an entire framework that is using ‘SERP poisoning’ to target unsuspecting users and distribute the Zeus Panda banking Trojan. In this case, the attackers are taking specific keyword searches and ensuring that their malicious results are displayed high in the results returned by search engines,” Cisco concluded.